tracing config (#12)

* updated CI * added config and permissions for x-ray tracing * updated docs
moritzzimmer · Nov 26, 2020 · 11b77d7 · 11b77d7
1 parent 7459b69
commit 11b77d7
Show file tree

Hide file tree

Showing 8 changed files with 44 additions and 23 deletions.
diff --git a/.github/dependabot.yml b/.github/dependabot.yml
@@ -0,0 +1,8 @@
+version: 2
+
+updates:
+  - package-ecosystem: "github-actions"
+    directory: "/"
+    schedule:
+      interval: "weekly"
+
diff --git a/.github/workflows/workflow.yaml b/.github/workflows/workflow.yaml
@@ -9,29 +9,16 @@ on:
       - master
 
 jobs:
-  validate:
+  check:
     name: Validate
     runs-on: ubuntu-latest
     steps:
       - name: Check out code
-        uses: actions/checkout@v1
+        uses: actions/checkout@v2
 
-      - name: Run a Terraform init
-        uses: docker://hashicorp/terraform:0.12.20
+      - uses: hashicorp/setup-terraform@v1
         with:
-          entrypoint: terraform
-          args: init
+          terraform_version: ~0.13.0
 
-      - name: Run a Terraform fmt
-        uses: docker://hashicorp/terraform:0.12.20
-        with:
-          entrypoint: terraform
-          args: fmt -check=true
-
-      - name: Run a Terraform validate
-        uses: docker://hashicorp/terraform:0.12.20
-        env:
-          AWS_REGION: eu-west-1
-        with:
-          entrypoint: terraform
-          args: validate
+      - name: Terraform validate
+        run: make init fmt validate
diff --git a/README.md b/README.md
@@ -160,6 +160,7 @@ MINOR, and PATCH versions on each release to indicate any incompatibilities.
 | ssm\_parameter\_names | DEPRECATED: use `ssm` object instead. This variable will be removed in version 6 of this module. (List of AWS Systems Manager Parameter Store parameters this Lambda will have access to. In order to decrypt secure parameters, a kms\_key\_arn needs to be provided as well.) | `list` | `[]` | no |
 | tags | A mapping of tags to assign to the Lambda function and all resources supporting tags. | `map(string)` | `{}` | no |
 | timeout | The amount of time your Lambda Function has to run in seconds. Defaults to 3. | `number` | `3` | no |
+| tracing\_config\_mode | Tracing config mode of the Lambda function. Can be either PassThrough or Active. | `string` | `null` | no |
 | vpc\_config | Provide this to allow your function to access your VPC (if both 'subnet\_ids' and 'security\_group\_ids' are empty then vpc\_config is considered to be empty or unset, see https://docs.aws.amazon.com/lambda/latest/dg/vpc.html for details). | <pre>object({<br>    security_group_ids = list(string)<br>    subnet_ids         = list(string)<br>  })</pre> | `null` | no |
 
 ## Outputs

diff --git a/docs/part2.md b/docs/part2.md
@@ -36,6 +36,7 @@
 | ssm\_parameter\_names | DEPRECATED: use `ssm` object instead. This variable will be removed in version 6 of this module. (List of AWS Systems Manager Parameter Store parameters this Lambda will have access to. In order to decrypt secure parameters, a kms\_key\_arn needs to be provided as well.) | `list` | `[]` | no |
 | tags | A mapping of tags to assign to the Lambda function and all resources supporting tags. | `map(string)` | `{}` | no |
 | timeout | The amount of time your Lambda Function has to run in seconds. Defaults to 3. | `number` | `3` | no |
+| tracing\_config\_mode | Tracing config mode of the Lambda function. Can be either PassThrough or Active. | `string` | `null` | no |
 | vpc\_config | Provide this to allow your function to access your VPC (if both 'subnet\_ids' and 'security\_group\_ids' are empty then vpc\_config is considered to be empty or unset, see https://docs.aws.amazon.com/lambda/latest/dg/vpc.html for details). | <pre>object({<br>    security_group_ids = list(string)<br>    subnet_ids         = list(string)<br>  })</pre> | `null` | no |
 
 ## Outputs

diff --git a/main.tf b/main.tf
@@ -22,6 +22,7 @@ module "lambda" {
   s3_object_version              = var.s3_object_version
   source_code_hash               = var.source_code_hash
   timeout                        = var.timeout
+  tracing_config_mode            = var.tracing_config_mode
   tags                           = var.tags
   vpc_config                     = var.vpc_config
 }

diff --git a/modules/lambda/main.tf b/modules/lambda/main.tf
@@ -26,6 +26,13 @@ resource "aws_lambda_function" "lambda" {
   tags                           = var.tags
   timeout                        = var.timeout
 
+  dynamic "tracing_config" {
+    for_each = var.tracing_config_mode == null ? [] : [true]
+    content {
+      mode = var.tracing_config_mode
+    }
+  }
+
   dynamic "vpc_config" {
     for_each = var.vpc_config == null ? [] : [var.vpc_config]
     content {
@@ -57,9 +64,13 @@ resource "aws_iam_role_policy_attachment" "cloudwatch_logs" {
 }
 
 resource "aws_iam_role_policy_attachment" "vpc_attachment" {
-  count = var.vpc_config == null ? 0 : 1
-  role  = aws_iam_role.lambda.name
-
-  // see https://docs.aws.amazon.com/lambda/latest/dg/vpc.html
+  count      = var.vpc_config == null ? 0 : 1
+  role       = aws_iam_role.lambda.name
   policy_arn = "arn:aws:iam::aws:policy/service-role/AWSLambdaVPCAccessExecutionRole"
 }
+
+resource "aws_iam_role_policy_attachment" "tracing_attachment" {
+  count      = var.tracing_config_mode == null ? 0 : 1
+  role       = aws_iam_role.lambda.name
+  policy_arn = "arn:aws:iam::aws:policy/AWSXRayDaemonWriteAccess"
+}
diff --git a/modules/lambda/variables.tf b/modules/lambda/variables.tf
@@ -94,6 +94,12 @@ variable "timeout" {
   default     = 3
 }
 
+variable "tracing_config_mode" {
+  description = "Tracing config mode of the Lambda function. Can be either PassThrough or Active."
+  default     = null
+  type        = string
+}
+
 variable "vpc_config" {
   default     = null
   description = "Provide this to allow your function to access your VPC (if both 'subnet_ids' and 'security_group_ids' are empty then vpc_config is considered to be empty or unset, see https://docs.aws.amazon.com/lambda/latest/dg/vpc.html for details)."

diff --git a/variables.tf b/variables.tf
@@ -125,6 +125,12 @@ variable "timeout" {
   default     = 3
 }
 
+variable "tracing_config_mode" {
+  description = "Tracing config mode of the Lambda function. Can be either PassThrough or Active."
+  default     = null
+  type        = string
+}
+
 variable "vpc_config" {
   description = "Provide this to allow your function to access your VPC (if both 'subnet_ids' and 'security_group_ids' are empty then vpc_config is considered to be empty or unset, see https://docs.aws.amazon.com/lambda/latest/dg/vpc.html for details)."
   default     = null